marcel/argo-cd
1
0
Fork 0
mirror of https://github.com/argoproj/argo-cd.git synced 2026-02-20 01:28:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
argo-cd/server/application/websocket_test.go
sivchari 922d080ae5 chore: upgrade Go to 1.24 (#22242) 
Signed-off-by: sivchari <shibuuuu5@gmail.com>
2025-03-10 10:14:41 -04:00

215 lines
5.7 KiB
Go
Raw Permalink Blame History

package application
import (
"context"
"encoding/json"
"net/http"
"net/http/httptest"
"strings"
"testing"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes/fake"
"github.com/argoproj/argo-cd/v3/common"
"github.com/argoproj/argo-cd/v3/util/assets"
"github.com/argoproj/argo-cd/v3/util/rbac"
"github.com/golang-jwt/jwt/v5"
"github.com/gorilla/websocket"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func newTestTerminalSession(w http.ResponseWriter, r *http.Request) terminalSession {
upgrader := websocket.Upgrader{}
c, err := upgrader.Upgrade(w, r, nil)
if err != nil {
return terminalSession{}
}
return terminalSession{wsConn: c}
}
func newEnforcer() *rbac.Enforcer {
additionalConfig := make(map[string]string, 0)
kubeclientset := fake.NewClientset(&corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Namespace: testNamespace,
Name: "argocd-cm",
Labels: map[string]string{
"app.kubernetes.io/part-of": "argocd",
},
},
Data: additionalConfig,
}, &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "argocd-secret",
Namespace: testNamespace,
},
Data: map[string][]byte{
"admin.password": []byte("test"),
"server.secretkey": []byte("test"),
},
})
enforcer := rbac.NewEnforcer(kubeclientset, testNamespace, common.ArgoCDRBACConfigMapName, nil)
return enforcer
}
func reconnect(w http.ResponseWriter, r *http.Request) {
ts := newTestTerminalSession(w, r)
_, _ = ts.reconnect()
}
func TestReconnect(t *testing.T) {
s := httptest.NewServer(http.HandlerFunc(reconnect))
defer s.Close()
u := "ws" + strings.TrimPrefix(s.URL, "http")
// Connect to the server
ws, _, err := websocket.DefaultDialer.Dial(u, nil)
require.NoError(t, err)
defer ws.Close()
_, p, _ := ws.ReadMessage()
var message TerminalMessage
err = json.Unmarshal(p, &message)
require.NoError(t, err)
assert.Equal(t, ReconnectMessage, message.Data)
}
func testServerConnection(t *testing.T, testFunc func(w http.ResponseWriter, r *http.Request), expectPermissionDenied bool) {
t.Helper()
s := httptest.NewServer(http.HandlerFunc(testFunc))
defer s.Close()
u := "ws" + strings.TrimPrefix(s.URL, "http")
// Connect to the server
ws, _, err := websocket.DefaultDialer.Dial(u, nil)
require.NoError(t, err)
defer ws.Close()
if expectPermissionDenied {
_, p, _ := ws.ReadMessage()
var message TerminalMessage
err = json.Unmarshal(p, &message)
require.NoError(t, err)
assert.Equal(t, "Permission denied", message.Data)
}
}
func TestVerifyAndReconnectDisableAuthTrue(t *testing.T) {
validate := func(w http.ResponseWriter, r *http.Request) {
ts := newTestTerminalSession(w, r)
// Currently testing only the usecase of disableAuth: true since the disableAuth: false case
// requires a valid token to be passed in the request.
// Note that running with disableAuth: false will surprisingly succeed as well, because
// the underlying token nil pointer dereference is swallowed in a location I didn't find,
// or even swallowed by the test framework.
ts.terminalOpts = &TerminalOptions{DisableAuth: true}
code, err := ts.performValidationsAndReconnect([]byte{})
assert.Equal(t, 0, code)
require.NoError(t, err)
}
testServerConnection(t, validate, false)
}
func TestValidateWithAdminPermissions(t *testing.T) {
validate := func(w http.ResponseWriter, r *http.Request) {
enf := newEnforcer()
_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
enf.SetDefaultRole("role:admin")
enf.SetClaimsEnforcerFunc(func(_ jwt.Claims, _ ...any) bool {
return true
})
ts := newTestTerminalSession(w, r)
ts.terminalOpts = &TerminalOptions{Enf: enf}
ts.appRBACName = "test"
//nolint:staticcheck
ts.ctx = context.WithValue(t.Context(), "claims", &jwt.MapClaims{"groups": []string{"admin"}})
_, err := ts.validatePermissions([]byte{})
require.NoError(t, err)
}
testServerConnection(t, validate, false)
}
func TestValidateWithoutPermissions(t *testing.T) {
validate := func(w http.ResponseWriter, r *http.Request) {
enf := newEnforcer()
_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
enf.SetDefaultRole("role:test")
enf.SetClaimsEnforcerFunc(func(_ jwt.Claims, _ ...any) bool {
return false
})
ts := newTestTerminalSession(w, r)
ts.terminalOpts = &TerminalOptions{Enf: enf}
ts.appRBACName = "test"
//nolint:staticcheck
ts.ctx = context.WithValue(t.Context(), "claims", &jwt.MapClaims{"groups": []string{"test"}})
_, err := ts.validatePermissions([]byte{})
require.Error(t, err)
assert.EqualError(t, err, common.PermissionDeniedAPIError.Error())
}
testServerConnection(t, validate, true)
}
func TestTerminalSession_Write(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
upgrader := websocket.Upgrader{}
conn, err := upgrader.Upgrade(w, r, nil)
require.NoError(t, err)
defer conn.Close()
for {
// Read the message from the WebSocket connection
messageType, message, err := conn.ReadMessage()
if err != nil {
return
}
// Respond back the same message
err = conn.WriteMessage(messageType, message)
require.NoError(t, err)
}
}))
defer server.Close()
u := "ws" + strings.TrimPrefix(server.URL, "http")
wsConn, _, err := websocket.DefaultDialer.Dial(u, nil)
require.NoError(t, err)
defer wsConn.Close()
ts := terminalSession{
wsConn: wsConn,
}
testData := []byte("hello world")
expectedMessage, err := json.Marshal(TerminalMessage{
Operation: "stdout",
Data: string(testData),
})
require.NoError(t, err)
n, err := ts.Write(testData)
require.NoError(t, err)
assert.Equal(t, len(testData), n)
_, receivedMessage, err := wsConn.ReadMessage()
require.NoError(t, err)
assert.Equal(t, expectedMessage, receivedMessage)
}
Reference in New Issue View Git Blame Copy Permalink